Credit unions need to gear up to meet the requirements of a new bill passed unanimously by California lawmakers that gives residents more control over their data.
The legislation, called the California Consumer Privacy Act of 2018, goes into effect on Jan. 1, 2020, and will afford residents the right to compensation if a business misuses their data. This law is long overdue given the growing number of data breaches, including Equifax’s, which compromised 143 million users’ data. It will help to protect members of the credit union industry.
There are 316 credit unions in California with approximately $195 billion in assets that support more than 11 million members as of August, according to Credit Unions Online. However, Privacy Law AB375’s affects should be felt outside the state. It impacts businesses across the country that conduct business with residents of California.
In general, the California Consumer Privacy Act of 2018 provides consumers with certain protections and benefits. For instance, it allows Californians to ask three important questions regarding their data: What data do you collect and store? Why do you collect this data? With whom do you share my data?
Residents can also opt out of the sale of their data and request the deletion of their data. The law allows Californians to receive damages ranging from $100 to $750 per consumer per incident, or more if the actual damages are greater.
The California Credit Union League has conducted an initial analysis of the law and outlined several areas that credit unions will likely need to address prior to its implementation.
For instance, the definition of “consumer” in the law is broad, which means that it will impact members as well as others whose information is stored in credit union databases.
Credit unions will have to provide information to consumers about their data twice a year for free, though there is an allowance to charge a fee if the requests become excessive. Institutions may need additional purge routines and require resolution of conflicts with record retention to meet certain parts of the law.
For example, a member with active accounts may request the credit union to delete any information it has collected that is not necessary to the membership or account relationship.
The deletion of personal information also extends to third parties, which will likely require amending vendor agreements and system coordination.
Credit unions must be able to provide information, such as categories of private information collected and purpose of collecting or selling this information, within 45 days of a request from a member.
Though the law appears not to apply to nonprofit entities, it will affect any entity that is operated for the “financial benefit of its shareholders or other owners.” Credit union lawyers, including those at the California Credit Union League, agree that this would affect credit unions as well.
While there is an exemption for businesses with gross revenue of less than $25 million, this law will still impact a large majority of the credit unions in the United States.
Because of that, credit unions and vendors need to start determining how their systems and processes will accommodate the requirements of this law.
